Identity threat detection now spans human, NHI, and AI agents

At a glance

What this is: Permiso Security argues that ITDR must watch what identities do after authentication across human, non-human, and AI identities.

Why it matters: This matters because IAM, PAM, and MFA do not surface malicious behaviour once a valid identity is already inside, which leaves NHI, autonomous, and human programmes exposed to the same post-authentication blind spot.

By the numbers:

• The platform ships with more than 1,500 detection signals, each tied to real attacker behavior rather than a static rule.

👉 Read Permiso Security's post on its Cybersecurity Stars award for ITDR

Context

Identity threat detection and response is the practice of spotting suspicious identity behaviour after authentication rather than relying only on the initial access check. The problem this article surfaces is simple: once credentials are valid, many traditional controls lose their best chance to distinguish normal use from attacker activity, especially across NHI, human, and AI agent identities.

That gap matters because cloud and hybrid environments now depend on identities that act continuously, not just at sign-in. When service accounts, API keys, and AI agents behave like first-class operational identities, security teams need visibility into actions, not just authentication events, or they risk missing the point where misuse becomes impact.

Key questions

Q: How should security teams detect identity compromise after authentication?

A: They should monitor what each identity actually does after login, including privilege use, command patterns, unusual data access, and cross-system movement. Authentication confirms entry, but post-authentication telemetry reveals misuse. The best programmes correlate behaviour across cloud and on-premises systems so analysts can tell normal activity from compromised or abused identity sessions.

Q: Why do service accounts and AI agents create more identity risk?

A: They expand the attack surface because they often hold credentials, operate continuously, and perform actions without the human review loops that catch misuse quickly. When those identities are over-privileged or poorly attributed, attackers can hide inside normal machine activity. That makes action-level visibility and tight entitlement scope essential.

Q: What do security teams get wrong about identity threat detection?

A: They often treat it as a substitute for IAM or PAM rather than a layer that complements them. Access control decides who can enter, but ITDR shows whether the identity is behaving as expected once inside. If teams focus only on authentication events, they miss the stage where most compromise becomes operational impact.

Q: How can organisations tell whether identity monitoring is working?

A: A working programme can correlate one identity across login events, session activity, privilege use, and investigation context without fragmenting the picture. If analysts still need separate tools to understand who acted, what they did, and where they moved, the programme is missing the behavioural layer that ITDR is meant to provide.

Technical breakdown

Post-authentication visibility in identity threat detection

ITDR extends detection past the authentication event and into session behaviour, command patterns, data access, privilege use, and lateral movement indicators. In practice, the system builds a behavioural baseline for each identity and flags deviations that indicate compromise, misuse, or automation abuse. This is distinct from IAM, which answers whether access is allowed, and from PAM, which focuses on privileged access boundaries. The technical value comes from correlating identity actions across cloud and on-premises systems so analysts can reconstruct what the identity actually did, not just that it logged in.

Practical implication: align detections to identity behaviour after login, not only to authentication success or failure.

Why service accounts and AI agents expand the detection surface

Service accounts, API keys, and AI agents create a larger identity surface because they operate programmatically, often with broad entitlements and fewer human review points. Their actions may be routine, but their compromise patterns often look like normal machine-to-machine activity until the behaviour diverges. In an ITDR model, the key is identity attribution: every action must be tied back to a specific executor so the platform can distinguish expected workload behaviour from credential abuse, shadow agent activity, or over-broad privilege use.

Practical implication: require action-level attribution for all non-human identities, including AI agents and shadow identities.

Identity graphs and lateral movement investigation

An identity graph links people, service accounts, tokens, devices, and agents so investigators can see relationship context during an incident. This matters because compromise is rarely isolated to one login. Once a malicious actor gains one identity, the investigation often turns into tracing privilege chains, session reuse, and cross-system movement. Graph-based correlation helps reduce alert fragmentation by showing which identities are related, which permissions were actually exercised, and where the attack progressed after initial access.

Practical implication: build investigations around identity relationships and exercised privileges, not isolated alerts.

NHI Mgmt Group analysis

Post-authentication behaviour is now the real identity control plane. IAM and MFA still matter, but they only answer whether a credential got in. Modern attacks increasingly happen after that point, which means the control problem has shifted from access grant to identity action monitoring. For NHI, human, and AI agent programmes alike, the practitioner conclusion is the same: if you cannot observe what an identity does after authentication, you do not really control it.

Identity threat detection has become a governance layer, not just a detection layer. Once service accounts and AI agents are treated as operational identities, the issue is no longer only compromise but accountability. A platform that can attribute actions across cloud and hybrid environments gives security teams a way to reason about ownership, scope, and abnormal use in one place. The practitioner implication is to treat behavioural identity telemetry as part of identity governance, not a separate security curiosity.

Universal identity correlation is the named concept this category is converging on. The article’s strongest idea is that humans, non-human identities, and AI agents can be analysed through one identity graph when the goal is to detect misuse after authentication. That model aligns with OWASP-NHI and NIST CSF thinking because it ties identity events to control outcomes rather than to login events alone. Practitioners should expect identity security programmes to be judged on correlation depth, not just provisioning quality.

AI agents force identity security to account for runtime behaviour, not static entitlement lists. Even when an agent is not fully autonomous, it can still execute actions that outpace human review cycles. That makes behavioural detection and real-time attribution more important than periodic access review alone. The practitioner conclusion is to assess whether current controls can observe agent action paths in time to matter.

Static rules are losing relevance against adaptive identity attacks. Detection logic that only looks for a fixed indicator often misses modern misuse patterns, especially when credentials are legitimate and activity looks ordinary at first glance. The article’s emphasis on research-driven signals reflects the broader shift toward behaviour-based identity defence. Practitioners should prioritise detections that can evolve with attacker tradecraft.

From our research:

• strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts.
• That governance gap is why the NHI Lifecycle Management Guide is a useful next step for teams reassessing provisioning, rotation, and offboarding.

What this signals

Identity telemetry will become a board-level control expectation, not an engineering nice-to-have. As environments mix people, workloads, and AI agents, post-authentication visibility becomes the only practical way to separate legitimate action from misuse. Teams that still rely on access grant controls alone will find that their detection picture is too thin to explain incidents or satisfy governance scrutiny.

Universal identity correlation: the next maturity step is to connect human IAM, NHI governance, and AI agent oversight through one investigative model. That means your programme should be able to answer who acted, what identity did it, and whether the action matched expected behaviour. If it cannot, the gap is structural rather than tactical.

For practitioners

• Instrument post-authentication telemetry for all identities Capture actions after sign-in, including privilege use, command sequences, data access, and cross-environment movement. Without that visibility, compromised identities can behave like normal users or workloads and stay hidden.
• Attribute every machine action to a specific executor Tie service accounts, API keys, workload identities, and AI agents back to a named identity record so investigations can distinguish expected behaviour from shadow activity, stolen credentials, or over-permissioned automation.
• Use identity graphs to shorten investigations Correlate human, NHI, and AI agent activity across cloud and hybrid systems so analysts can trace lateral movement, reuse of credentials, and related identities in a single investigative path.
• Review whether existing controls stop at authentication Test IAM, PAM, and MFA against realistic misuse scenarios where access is valid but behaviour is malicious. If the control stack cannot flag that difference, ITDR-style visibility is missing.

Key takeaways

• ITDR matters because valid access is no longer a reliable indicator of safe behaviour once an identity is inside the environment.
• The strongest evidence in the article is the move to more than 1,500 behavioural detections and full identity coverage across humans, NHIs, and AI agents.
• Practitioners should treat post-authentication telemetry, identity attribution, and graph-based investigation as core identity controls, not optional add-ons.

Key terms

• Identity Threat Detection And Response: A security approach that looks for suspicious identity behaviour after authentication rather than only verifying access at sign-in. It correlates session activity, privilege use, and movement across systems so teams can detect compromised or misused identities before they cause broader impact.
• Post-Authentication Behaviour: The actions an identity performs after it successfully authenticates, including commands, resource access, privilege escalation, and lateral movement. For human, NHI, and AI agent identities, this behaviour is often the only place compromise becomes visible.
• Identity Graph: A connected view of identities and their relationships across cloud, hybrid, and on-premises systems. It helps analysts trace which identity acted, how related identities were involved, and where compromise or misuse spread after initial access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by Permiso Security: Permiso wins Best Identity Threat Detection and Response Platform at the 2026 Cybersecurity Stars Awards. Read the original.